From c01a38b3441b7a638137aa99c4ddd410a8dc4468 Mon Sep 17 00:00:00 2001 From: Anton Moryakov Date: Tue, 24 Dec 2024 15:27:09 +0300 Subject: jffsX-utils: fix integer overflow in jffs2dump.c Report of the static analyzer: The value of an arithmetic expression 'datsize + oobsize' is a subject to overflow because its operands are not cast to a larger data type before performing arithmetic. Corrections explained: - Added a check to validate datsize and oobsize to ensure they are non-negative and within a safe range. - Cast datsize and oobsize to long before performing arithmetic to prevent potential integer overflow. This change ensures safe computation of offsets and prevents undefined behavior caused by overflow. Signed-off-by: Anton Moryakov Reviewed-by: Zhihao Cheng Signed-off-by: David Oberhollenzer --- jffsX-utils/jffs2dump.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/jffsX-utils/jffs2dump.c b/jffsX-utils/jffs2dump.c index 30455ea..b757ebe 100644 --- a/jffsX-utils/jffs2dump.c +++ b/jffsX-utils/jffs2dump.c @@ -772,6 +772,13 @@ int main(int argc, char **argv) exit(EXIT_FAILURE); } + if (datsize < 0 || oobsize < 0 || datsize > imglen || (long)datsize + oobsize < 0) { + fprintf(stderr, "Error: invalid datsize/oobsize.\n"); + free(data); + close (fd); + exit(EXIT_FAILURE); + } + if (datsize && oobsize) { int idx = 0; long len = imglen; @@ -783,7 +790,7 @@ int main(int argc, char **argv) read_nocheck (fd, oob, oobsize); idx += datsize; imglen -= oobsize; - len -= datsize + oobsize; + len -= (long)datsize + oobsize; } } else { -- cgit v1.2.3